Skip to content

Ability to get a JWT token from an OIDC provider to make calls to Solr secured by the JWTAuthPlugin #346

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
thelabdude wants to merge 16 commits into from
Closed

Ability to get a JWT token from an OIDC provider to make calls to Solr secured by the JWTAuthPlugin #346

thelabdude wants to merge 16 commits into from

Conversation

@thelabdude
Copy link
Contributor

@thelabdude thelabdude commented Oct 13, 2021
edited
Loading

Fixes #331

Manually tested with Keycloak.

I went with calling this AuthenticationType Oidc even though technically, we're only using the client_credentials grant type in OAuth2 (see: https://datatracker.ietf.org/doc/html/rfc6749#section-4.4); there's no redirecting or any of that fancy OIDC stuff. I like Oidc because that corresponds better with the JWTAuthPlugin used by Solr and our config takes a wellKnownUrl which is an OIDC thing.

Example SolrCloud CRD YAML:

spec:
  ...
  solrSecurity:
    authenticationType: Oidc
    probesRequireAuth: false
    bootstrapSecurityJson:
      name: security-jwt-keycloak
      key: security.json
    oidc:
      clientCredentialsSecret: keycloak-gatekeeper
      wellKnownUrl: http://192.168.86.21:8080/auth/realms/local

security.json for Keycloak:

{
  "authentication": {
    "blockUnknown": false,
    "class": "solr.JWTAuthPlugin",
    "wellKnownUrl": "http://192.168.86.21:8080/auth/realms/local/.well-known/openid-configuration",
    "clientId": "gatekeeper",
    "redirectUris": "http://localhost:8983/solr/",
    "rolesClaim": "groups"
  },
  "authorization": {
    "class": "solr.ExternalRoleRuleBasedAuthorizationPlugin",
    "permissions": [ ... ]
  }
}

Todo:

  • Unit tests
  • Oidc support for the backup CRD controller
  • Manual test with another OIDC provider such as Okta
  • Manual test to verify the cached OAuth2 TokenSource can refresh the JWT when it expires
  • Enhance documentation
  • OAuth2 TokenSource cache invalidation, esp. after SolrCloud object is deleted, or just maybe a TTL + LRU kind of strategy

The biggest issue I see with adding this feature is the Prometheus exporter and the bin/solr script don't support the JWTAuthPlugin (see: https://issues.apache.org/jira/browse/SOLR-12666) so users would have to open up access to anonymous requests for those endpoints. So I wonder if the better approach is to improve Solr to support multiple authentication schemes based on the provided Authorization header either Bearer or Basic

thelabdude
thelabdude commented Oct 13, 2021
View reviewed changes
thelabdude
thelabdude commented Oct 13, 2021
View reviewed changes
@thelabdude thelabdude marked this pull request as draft October 13, 2021 20:50
@thelabdude
Copy link
Contributor Author

thelabdude commented Oct 18, 2021
edited
Loading

As I progressed with this impl, I realized that the Prometheus exporter doesn't support JWT right now. Found these JIRAs that are important for this effort:
https://issues.apache.org/jira/browse/SOLR-12666
https://issues.apache.org/jira/browse/SOLR-13070

@thelabdude thelabdude mentioned this pull request Oct 26, 2021
Closed
@thelabdude thelabdude mentioned this pull request Oct 26, 2021
Merged
@thelabdude
Copy link
Contributor Author

thelabdude commented Nov 1, 2021

Now this PR only has OIDC related changes in it. However, it's unlikely I'll merge this into main anytime soon given the limitations with JWT / OIDC on the Solr side (see previous comments); at least not until SolrJ supports OIDC (so that the prometheus exporter works).

@janhoy
Copy link
Contributor

janhoy commented Oct 12, 2022

Closing this. Can revive it in a new PR some time later if necessary

@janhoy janhoy closed this Oct 12, 2022
@ppazos
Copy link

ppazos commented Feb 13, 2023

@thelabdude following this thread, related to my current issue, do you know if a JWT, to be used in the Solr API, can be generated without a human user login into a web form? Because we have the case of system to system auth, leaving the end user GUI open for searching. Thanks!

@janhoy
Copy link
Contributor

janhoy commented Feb 13, 2023

You can use a MultiAuthPlugin in Solr and use JWT for humans and BasicAuth for Operator and Prom Exporter.

@ppazos
Copy link

ppazos commented Feb 14, 2023

@janhoy I want to use JWT for app to solr, not for humans, my search app is open for users but I don't want other apps to talk to solr, is that possible? I like tokens to expire and be renewed, instead of using basic auth. Having app level auth would be useful in this scenario. Thanks.

@bentonjimmy
Copy link

bentonjimmy commented Jun 6, 2023

@janhoy Is there an example or instructions on how to use MultiAuthPlugin with the operator?

@janhoy
Copy link
Contributor

janhoy commented Jun 6, 2023

To use Multi with the operator you'll need to craft the security.json yourself (e.g. through a Helm template), put it in a secret, and then tell Solr Operator to use that secret. I don't think you'll get much help from the operator itself.
For further discussion, please open a new email thread in the users mailing list.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support JWT authentication

4 participants

@thelabdude @janhoy @ppazos @bentonjimmy